Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

In what may be a first for the EMR industry, ambulatory EMR vendor Practice Fusion has settled Federal Trade Commission charges that it misled consumers as part of a campaign to gather reviews for its doctors.

Under the terms of the settlement, Practice Fusion agreed to refrain from making deceptive statements about the privacy and confidentiality of the information it collects from consumers. It also promised that if it planned to make any consumer information publicly available, it would offer a clear and conspicuous notice of its plans before it went ahead, and get affirmative consent from those consumers before using their information.

Prior to getting entangled in these issues, Practice Fusion had launched Patient Fusion, a portal allowing patients whose providers used its EMR to download their health information, transmit that information to another provider or send and receive messages from their providers.

The problem targeted by the FTC began in 2012, when Practice Fusion was preparing to expand Patient Fusion to include a public directory allowing enrollees to search for doctors, read reviews and request appointments. To support the rollout, the company began sending emails to patients of providers who used Practice Fusion’s EMR, asking patients to review their provider. In theory, this was probably a clever move, as the reviews would have given Practice Fusion-using practices greater social credibility.

The problem was, however, that the request was marketed deceptively, the FTC found. Rather than admitting that this was an EMR marketing effort, Practice Fusion’s email messages appeared to come from patients’ doctors. And the patients were never informed that the information would be made public. And worse, a pre-checked “Keep this review anonymous” only withheld the patient’s name, leaving information in the text box visible.

So patients, who thought they were communicating privately with their physicians, shared a great deal of private and personal health information. Many entered their full name or phone number in a text box provided as part of the survey. Others shared intimate health information, including on consumer who asked for dosing information for “my Xanax prescription,” and another who asked for help with a suicidally depressed child.

The highly sensitive nature of some patient comments didn’t get much attention until a year later, when EMR and HIPAA broke the story and then Forbes published a follow up article on the subject. After the articles appeared, Practice Fusion put automated procedures in place to block the publication of reviews in which consumers entered personal information.

In the future, Practice Fusion is barred from misrepresenting the extent to which it uses, maintains and protects the privacy or confidentiality of data it collects. Also, it may not publicly display the reviews it collected from consumers during the time period covered by the complaint.

There’s many lessons to be gleaned from this case, but the most obvious seems to be that misleading communications that impact patients are a complete no-no. According to an FTC blog item on the case, they also include that health IT companies should never bury key facts in a dense privacy policy, and that disclosures should use the same eye-catching methods they use for marketing, such as striking graphics, bold colors, big print and prominent placement.

In the world of HIPAA, it’s hard to understand not so much the lack of clear communication, but the willingness of the firm to post the reviews online where people could see PHI. One has to guess that some marketing genius came up with the review idea and that it was never properly vetted by their attorneys. Regardless, hopefully no EHR firm will make any mistake like this again.

What I don’t get, though, is why a person would write a review of their doctor and put anything personally identifying in it. If I’d gotten that PF communication, I’d have assumed that my doctor who ‘sent’ it would post my review on his or her web site, and would never have put any sort of ID info on it; I would not have even used my name. But in a world where people think that the bankruptcy king now running for President would handle the economy well, I have to accept that many people are not as rational as I’d like to think I am!

That original article was quite comprehensive. It reminds us that this was a real lapse of vendor doctor communications. I still wonder how their legal people let this happen – assuming they were asked in the first place.

Just curious – how is PF doing these days? I assume they will finally get past this problem. But has it proven to be a viable way for small practices or others who can’t afford an expensive EHR to get up to speed? Have they otherwise been responsive to both provider and patient needs? One thing I like about PF – that they take direct result data from labs like Quest. In the medical practice I use, they have EPIC (and MyChart) and only get results by fax, which gets scanned in and is not available in the portal. It is scary that a ‘freebee’ like PF gets it right and EPIC doesn’t, at least not for this huge institution that my practice is part of.

Ron,
I’ve heard a lot of perspectives on how they’re doing. Really hard to say. I’ll stick with my original analysis: they’ve created value, but it’s hard to see how they’ll provide a great return for their investors.